Security researchers believe mass exploitation attempts against WS_FTP have begun

Updated Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Software's WS_FTP Server.

Researchers at Rapid7 began noticing evidence of exploitation on 30 September across multiple instances of WS_FTP.

Progress released fixes for eight separate vulnerabilities in WS_FTP on Wednesday, including one rated a maximum score of 10 on the CVSS severity scale. Days later, the company said there was no evidence of exploitation at the time.

Researchers didn't specify which of the vulnerabilities were being exploited, but noted it appeared that "one or more" of those included in Progress' eight-vulnerability advisory were the subject of exploit attempts.

Attacks began in the evening of September 30 and Rapid7 received alerts from multiple customer environments of attempted attacks within minutes of each other, according to the blog post from Caitlin Condon, senior manager of vulnerability research at Rapid7.

After analyzing the exploit chain, researchers concluded that the process appeared to be uniform across all the incidents they were alerted to, which could potentially indicate a cyber crim is attempting a mass-scale exploitation attempt of vulnerable WS_FTP instances.

Researchers pointed to a single Burpsuite domain used in every exploit attempt they analyzed, lending additional support to the idea that a single baddie is responsible for the attempts.

Detailing the attack chain, Rapid7 said the child process was responsible for executing NTUSER.dll which, after analysis, is thought to be associated with Bishop Fox's legitimate red-team post-exploitation kit, Silver.

Exploit attempts seem to be low in volume at present and visible by a limited selection of telemetry. Bob Rudis of GreyNoise Intelligence, for example, said that his team were still not detecting any attempts as of October 1.

The researchers at AssetNote, which is credited with the discovery of CVE-20233-40044, the maximum-severity vulnerability in WS_FTP, said its telemetry indicates that 2,900 hosts are running the file transfer software, many of which are large enterprises, governments, and education institutions.

Progress Software said the product has 40 million users and its website specifically names some of its high-profile customers, including gaming company RockSteady, NFL team Denver Broncos, Scientific American, and high-street retail giant H&M.

Proof of concept (PoC) code for CVE-20233-40044 began circulating online two days after Progress released its security advisory.

When security advisories are issued, PoC code is often developed fairly quickly, meaning exploit attempts usually follow. 

Rapid7 stressed the importance of upgrading to the latest version of WS_FTP as soon as possible, which comes with the required updates to address the security issues that affect a wide range of previous versions of the software.

• Now MOVEit maker Progress patches holes in WS_FTP
• MOVEit breach delivers bundle of 3.4 million baby records
• Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild
• Can 'Mad Libs for incident response' prevent the next MOVEit fiasco?

For customers that are using WS_FTP with the Ad Hoc Transfer module - a configuration that's targeted by a subset of the eight vulnerabilities disclosed by Progress - they are urged to either disable or remove the module.

Progress Software's year to forget

The issues affecting WS_FTP are the latest in what has been a challenging year for the software firm behind the product.

Another of its file transfer products, MOVEit Transfer, was the target of mass exploitation earlier this year from the Cl0p cybercriminal crew.

The group, which this year has become more of a hack-and-extort gang, forgoing the ransomware element entirely, has broken into at least 400 organizations after exploiting a zero-day in MOVEit Transfer.

Most attacks have involved stealing data from victims and holding it to ransom, a tactic adopted by an increasing number of ransomware-associated criminals throughout 2023 including Cl0p, RansomHouse, BianLian, and Karakurt.

As a result of the mass exploitation of MOVEit Transfer, Progress is facing a swathe of lawsuits because of the attacks which are still ongoing months after they began in June.

Researchers at Coveware said in July that they expect Cl0p's campaign against MOVEit to net the cyber criminals between $75 million to $100 million, and that victims were paying much higher ransoms compared to Cl0p's previous attacks.

"While the MOVEit campaign may end up impacting over 1,000 companies directly, and an order of magnitude more indirectly, a very very small percentage of victims bothered trying to negotiate, let alone contemplated paying," said Coveware. 

"Those that did pay, paid substantially more than prior Clop campaigns, and several times more than the global average ransom amount of $740,144." ®

Updated at 1047 UTC on October 3, 2023, to add

A spokesperson at Progress Software, sent us a statement:

“We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.

"The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.”